Skip to content

AIA callback to retrieve missing chain certificates

Sahana Prasad requested to merge sahprasa/gnutls:aia into master

This PR implements a callback function that allows applications to insert missing certificates from incomplete certificate chains.

The callback function exposed by the GnuTLS library to the applications is gnutls_x509_trust_list_set_getissuer_function().

void gnutls_x509_trust_list_set_getissuer_function(gnutls_x509_trust_list_t tlist, gnutls_trust_list_getissuer_function *func);

This function sets a callback to the function with prototype

int gnutls_trust_list_getissuer_function(gnutls_x509_trust_list_t tlist, gnutls_x509_crt_t crt);

The application can manually append the missing issuer certificate in 'crt' by populating it in 'issuer' and adding it to 'tlist' using gnutls_x509_trust_list_add_cas(tlist, &issuer, 1, 0); There are to ways to do it:

  1. If 'crt' does not have an Authority Information Access(AIA) extension, but the missing certificate is already known, append it to the incomplete certificate chain by directly populating it into 'issuer'. See the missingissuer.c test for example.

  2. If 'crt' has an Authority Information Access(AIA) extension, extract the URI of the missing certificate. Download the missing certificate manually from this URI and append it to the incomplete certificate chain by directly populating it into 'issuer'. See the missingissuer_aia.c test for example.

Resoves #202 (closed)

Note: Dynamic downloading of certificates via gnutls-cli is not yet implemented. It will be implemented as part of #968 (closed)

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • Code modified for feature
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated / NEWS entry present (for non-trivial changes)
  • CI timeout is 2h or higher (see Settings/CICD/General pipelines/Timeout)

Reviewer's checklist:

  • Any issues marked for closing are addressed
  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to CONTRIBUTION.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code
Edited by Daiki Ueno

Merge request reports